Target IP: 10.10.126.158
The web application development company SecureSolaCoders has created their own intranet page. The developers are still very young and inexperienced, but they ensured their boss (Magnus) that the web application was secured appropriately. The developers said, "Don't worry, Magnus. We have learnt from our previous mistakes. It won't happen again". However, Magnus was not convinced, as they had introduced many strange vulnerabilities in their customers' applications earlier.
Magnus hired you as a third-party to conduct a penetration test of their web application. Can you successfully exploit the app and achieve root access?
There are six TCP ports open on the target machine. The HTTP application on port 80 and 8080 are interesting. I will start enumeration with these ports.
Port 8080: HTTP
Performing a directory search using feroxbuster shows the interesting result above.
The webpage above is shown for this application. This login page requires an email and password.
The source-code of the HTML page contains the interesting HTML comment above. The username anders is helpful, and the format of the email <name>@securesolacoders.no. There are two usernames I obtained anders@securesolacoders.no and devops@securesolacoders.no. I also tried the username admin@securesolacoders.no and got a hit stating the password is incorrect. Maybe bruteforcing is possible with the usernames? I tried running rockyou.txt but I had no luck. Time to create personalised usernames and passwords list.
Using the usernames from above, and the HTML comments as the passwords. I created two lists. I used the online password generator from above to create the possible passwords.
Running the command hydra -L usernames -P passwords 10.10.126.158 -s 8080 http-post-form "/login:username=^USER^&password=^PASS^:Error", I had success with anders@securesolacoders.no:securesolacoders2022.
After logging in with the details above, the webpage above is displayed. It looks like an SMS with four digits are sent to the number. Time to bruteforce this again. I input a random four digit number and it did not accept it.
I had to research further on how to perform bruteforcing using hydra with cookie as the value. The article above showed me how.
I created a file called sms that contains the numbers from 1000 to 9999. I also obtained the cookie of the user I logged in using the Dev tools from the mozilla browser.
Then running hydra with the command hydra -l anders@securesolacoders.no -P sms 10.10.126.158 -s 8080 http-post-form "/sms:sms=^PASS^:H=Cookie: session=eyJ1c2VybmFtZSI6ImFuZGVycyJ9.ZL_4Rw.YxHDdTIM2doNLmKcTnA1o-z7wfY:Error" gave me a hit on the SMS code 1341.
And it worked! I gained access to the portal now. After doing some enumeration, I find the Internal News section interesting. There is a button called Update. I ran Burpsuite and intercepted the request after pressing this button. An interesting parameter called news is shown.
I was able to obtain the /etc/passwd file using the news parameter, as shown above. Using this parameter and sending ../../../../../../proc/self/cmdline returns the string /usr/bin/python3/home/devops/app.py.
And now I have access to the source code of the application. I copied the source code to a text file.
Viewing the source-code shows the admin@securesolacoders.no is not allowed.
But there is an interesting section for the admin user. The goal now is to decode the secret key to get a session as the admin user.
I obtained the secret key.
A new session cookie as the admin with the secret key.
With the new admin session cookie, I requested the /admin page. And it worked! I have access to the admin page with the new admin session cookie I generated. Now I have access as the admin, I can use the debug feature to get a shell.
Now I have a reverse shell connection from the target machine on port 8443. I used Python reverse shell script. I tried a few different payloads but they did not work.
Running ps -auxw shows the web application on port 80 is running as the user anders.
And I have full privileges over this directory. I can put a simple web-shell here and upgrade it to a full reverse shell connection to obtain a session as anders here.
I created a PHP Pentest Monkey reverse shell file called shell.php on my local machine. And then on the target machine, I downloaded this using wget.
I started a listener on port 8444, visited shell.php, and obtained a reverse shell connection as anders.
Running a LinPeas shows the envvars can be written.
I changed the SUID bit of bash. After restarting the apache application on port 80 with the session as anders, the change is made as we can see using the devops session.
Using the devops sesssion, I used bash -p to spawn a root shell.
The first user.txt flag once I gained a foothold on the machine.
The user2.txt flag once I gained a reverse shell connection as anders.
The root.txt flag.